b'  DEPARTMENT OF HOMELAND SECURITY\n  letl\n         Office of Inspector General\n\n\n      Information Technology Management \n\n         Needs to Be Strengthened at the \n\n     Transportation Security Administration \n\n\n\n\n\nOIG-08-07                         October 2007\n\x0c                                                            Office of Inspector General\n\n                                                            U.S. Department of Homeland Security\n                                                            Washington, DC 20528\n\n\n\n\n                                  October 26, 2007\n\n                                     Preface\n\nThe Department of Homeland Security (DHS) Office of Inspector General (OIG) was\nestablished by the Homeland Security Act of 2002 (Public Law 107-296) by amendment to\nthe Inspector General Act of 1978. This is one of a series of audit, inspection, and special\nreports prepared as part of our oversight responsibilities to promote economy, efficiency, and\neffectiveness within the department.\n\nThis report addresses how well the Transportation Security Administration (TSA) manages\ninformation technology (IT) to accomplish its mission of overseeing the security of the\nnation\xe2\x80\x99s transportation systems. It is based on interviews with employees and officials of\nrelevant agencies and institutions, direct observations, and a review of applicable documents.\n\nThe recommendations herein have been developed to the best knowledge available to our\noffice, and have been discussed in draft with those responsible for implementation. It is our\nhope that this report will result in more effective, efficient, and economical operations. We\nexpress our appreciation to all of those who contributed to the preparation of this report.\n\n\n\n\n                                     Richard L. Skinner \n\n                                     Inspector General \n\n\x0cTable of Contents/Abbreviations \n\n\n\nExecutive Summary ...............................................................................................................................1 \n\n\nBackground ............................................................................................................................................2 \n\n\nResults of Audit .....................................................................................................................................4 \n\n\n   Fragmented Technology Environment Lacks Integration and Standards..........................................4 \n\n\n   Decentralized Agency Structure Impedes Efficient IT Management ..............................................15 \n\n\n   Numerous Challenges Exist in External Stakeholder Coordination................................................24 \n\n\n   Recommendations............................................................................................................................31 \n\n\nManagement Comments and OIG Evaluation .....................................................................................32 \n\n\nAppendices\nAppendix A:          Scope and Methodology............................................................................................... 36 \n\nAppendix B:          Management Comments to the Draft Report ............................................................... 38 \n\nAppendix C:          Major Contributors to This Report............................................................................... 42\n\nAppendix D:          Report Distribution....................................................................................................... 43 \n\n\nAbbreviations\nCAPPS II              Computer Assisted Passenger Prescreening System\nCIO                   Chief Information Officer\nCTO                   Chief Technology Officer\nDHS                   Department of Homeland Security\nEDS                   Explosive Detection System\nETD                   Explosives Trace Detection\nFAMS                  Federal Air Marshal Service\nGAO                   Government Accountability Office\nHi-SOC                High-Speed Operational Connectivity\nIT                    Information Technology\nITD                   Information Technology Division\nOIA                   Office of Intelligence and Analysis\nOIG                   Office of Inspector General\nOPT                   Operational Process and Technology\nOST                   Office of Security Technology\nTSA                   Transportation Security Administration\nTSNM                  Transportation Sector Network Management\nTTAC                  Transportation Threat Assessment and Credentialing\n\x0cTable of Contents/Abbreviations \n\n\n\nFigures\nFigure 1   TSA Initial Milestones ..................................................................................................2\n\nFigure 2   Operational Process and Technology Responsibilities ..................................................5 \n\nFigure 3   EDS Machines Used by TSA to Screen Checked Baggage ..........................................7 \n\nFigure 4   TSA Offices with IT Activities .....................................................................................8\n\nFigure 5   Process to Compile TSA Watch List ..........................................................................14 \n\nFigure 6   FY 07 IT and Security Technology Spending Across TSA Offices ...........................18 \n\nFigure 7   IT Division Funding to FTE History ..........................................................................23 \n\nFigure 8   TSA\xe2\x80\x99s Challenges in Stakeholder Coordination .........................................................25 \n\n\x0cOIG \n\nDepartment of Homeland Security\nOffice of Inspector General\nExecutive Summary\n                       Information technology plays a critical role in supporting the\n                       Transportation Security Administration\xe2\x80\x99s (TSA) security mission. Since\n                       2001, TSA began to develop an initial IT infrastructure as well as\n                       implementing an array of explosive detection and X-ray systems to meet\n                       mission needs in key areas such as aviation security.\n\n                       As part of our ongoing responsibility to assess the efficiency,\n                       effectiveness, and economy of departmental programs and operations,\n                       we reviewed TSA\xe2\x80\x99s IT management programs and activities. The\n                       objectives of this review were to evaluate TSA\xe2\x80\x99s management of current\n                       technologies and infrastructure to ensure effective transportation security\n                       mission operations and information management and exchange across\n                       internal and external stakeholders.\n\n                       TSA does not manage and apply IT effectively to support\n                       accomplishment of its mission objectives. Due to early pressures to meet\n                       tight congressional time frames and the public\xe2\x80\x99s demand for increased\n                       transportation security, TSA\xe2\x80\x99s technology environment evolved quickly\n                       and in a highly decentralized manner. The resulting IT infrastructure has\n                       limited system integration and data sharing and has perpetuated\n                       inefficient manual work processes. Additionally, due to a lack of\n                       authority and standard policies to govern technology implementation\n                       across TSA offices, the agency\xe2\x80\x99s chief information officer (CIO) faces\n                       significant challenges in conducting agency-wide IT planning and\n                       investment management to counter the fragmented environment. The\n                       declining number of staff within the central IT Division also impedes the\n                       CIO\xe2\x80\x99s ability to manage the IT infrastructure and support new\n                       technology requirements. Further, TSA faces disparate aviation\n                       stakeholder challenges, such as technical limitations and privacy\n                       assurance requirements, which largely remain outside of the agency\xe2\x80\x99s\n                       control.\n\n\n\n\n  Information Technology Management Needs to Be Strengthened at the Transportation Security Administration\n\n                                                  Page 1\n\x0cBackground \n\n                       The Aviation and Transportation Security Act (Public Law 107-71, November\n                       19, 2001) established TSA as part of the Department of Transportation in\n                       response to the events of September 11, 2001. With the passage of this act,\n                       TSA gained responsibility for ensuring compliance with passenger and\n                       checked baggage screening regulations and deployment of security officers at\n                       approximately 450 airports. This act also called for TSA to enhance specific\n                       screening operations, such as the use of explosive detection screening for\n                       checked baggage, by December 31, 2002. Within 12 months, TSA\n                       implemented a technology and telecommunications infrastructure to meet\n                       these requirements. By the end of 2002, the agency had deployed a security\n                       operations workforce and assumed 100% of all airport screening\n                       responsibilities. In March 2003, TSA was transferred to form part of the\n                       newly established Department of Homeland Security. Figure 1 displays the\n                       timeline for these events\n\n                         2001                                 2002                                        2003\n                                                                               November\n                              November\n\n\n\n\n                                                                                                                        December\n                                               February\n\n\n\n\n                                                                                              March\n                                                                                              M arch\n                                                                        100% Passenger                            100% Baggage\n                             ATSA                                                                                   Screening\n                                                                           Screening\n                            Became                                                                               (Explosive Detection)\n                                                                          Deadline Met\n                              Law                                                                                   Deadline Met\n                                                                                          TSA Transfers\n                                                                                            To DHS\n                                         TSA Assumes FAA                       IT\n                                          Aviation Security              Infrastructure\n                                          Responsibilities                Established\n\n\n                       Figure 1: TSA Initial Milestones\n\n                       TSA\xe2\x80\x99s current mission is to \xe2\x80\x9cprotect the Nation\xe2\x80\x99s transportation systems to\n                       ensure freedom of movement for people and commerce,\xe2\x80\x9d with a primary focus\n                       on the aviation sector. To accomplish this mission, the agency deploys\n                       thousands of federal air marshals, screens cargo, conducts intelligence\n                       gathering and analysis, invests in ongoing security technology research and\n                       development, manages numerous programs to improve threat identification\n                       and analysis capabilities, and disseminates information about its services to\n                       stakeholders and U.S. citizens. Leveraging new technology and partnerships\n                       with stakeholders are key factors of TSA\xe2\x80\x99s transportation security approach.\n\n                       Today, TSA is comprised of 11 business units with nearly 50,000 employees\n                       and a budget of approximately $6.3 billion for fiscal year 2007. Foremost\n\n\n  Information Technology Management Needs to Be Strengthened at the Transportation Security Administration\n\n\n                                                              Page 2\n\n\x0c                         among the business units, the Office of Security Operations manages the\n                         agency\xe2\x80\x99s primary airport field operations, as well as key security programs\n                         and frontline employees, including over 120 federal security directors and\n                         40,000 transportation security officers. The airports that TSA serves vary\n                         considerably by size and number of passengers. The largest and busiest\n                         airports are designated as \xe2\x80\x9cCategory X,\xe2\x80\x9d with smaller airports falling under\n                         categories 1 through 4 (from largest to smallest). In addition, the agency has a\n                         24-hour security operations center and 21 field offices within the Federal Air\n                         Marshal Service (FAMS) to help support airport security operations. TSA\n                         also incurred significant challenges to build supporting IT from the ground up\n                         to meet the mandated deadlines for deploying trained security officers at\n                         airports and performing screening functions.\n\n                         Over the past several years, a number of audit reports have discussed key\n                         challenges relating to the management of mission critical IT programs such as\n                         Secure Flight and the Transportation Worker Identification Credential\n                         Program, along with difficulties in IT contract management:\n\n                         \xe2\x80\xa2\t   In February 2004, the Government Accountability Office (GAO) reported\n                              on schedule delays and poor TSA planning to develop the Computer-\n                              Assisted Passenger Prescreening System (CAPPS II), eventually leading\n                              to cancellation of the program in August 2004.1\n\n                         \xe2\x80\xa2\t   In February 2006, a GAO study of the Secure Flight program revealed that\n                              TSA had not followed a disciplined life cycle management approach in\n                              developing the new program, with potential adverse affects for its\n                              implementation.2 As a result, the Office of Management and Budget\n                              placed the Secure Flight program on its watch list of high-risk IT\n                              programs.\n\n                         \xe2\x80\xa2\t   In July 2005, regarding checked baggage screening technologies, GAO\n                              reported findings that several airports were still using stand-alone baggage\n                              screening machines and explosive trace detection machines instead of\n                              more efficient in-line systems.3 GAO determined that improved planning\n                              would be needed for optimal deployment of the more efficient screening\n                              equipment to airports.\n\n\n\n1\n  GAO, Aviation Security: Computer-Assisted Passenger Prescreening System Faces Significant Implementation \n\nChallenges, GAO-04-385, February 2004. \n\n2\n  GAO, Aviation Security: Significant Management Challenges May Adversely Affect Implementation of the \n\nTransportation Security Administration\xe2\x80\x99s Secure Flight Program, GAO-06-374T, February 2006. \n\n3\n  GAO Aviation Security, Better Planning Needed to Optimize Deployment of Checked Baggage Screening Systems, \n\nGAO-05-896T, July 2005. \n\n\n    Information Technology Management Needs to Be Strengthened at the Transportation Security Administration\n\n                                                    Page 3\n\x0c                         Additionally, in February 2006 we reported on TSA\xe2\x80\x99s management of its\n                         contract with Unisys.4 Under this contract, Unisys was required to set up an\n                         IT infrastructure for TSA and provide IT management services. We reported\n                         that the contract had suffered significant cost overruns and delays in\n                         implementing key deliverables, such as a high-speed operational connectivity\n                         package. We also reported that the overspending and performance issues\n                         identified had resulted in part from inadequate staff to oversee and manage the\n                         contract, and we recommended rebidding the contract.\n\nResults of Audit\nFragmented Technology Environment Lacks Integration and Standards\n                         TSA\xe2\x80\x99s technology environment continues to be fragmented, hindering its\n                         ability to carry out its mission effectively. Upon creation, TSA made initial\n                         progress to establish a complete IT infrastructure, as well as a range of\n                         screening technologies for security operations at airports. However, due to\n                         time constraints, TSA\xe2\x80\x99s technical environment evolved in a decentralized\n                         manner, leading to stovepiped systems with limited information sharing and\n                         technical standards. Additionally, gaps in IT solutions delivery and network\n                         connectivity continue to trigger manual and inefficient processes throughout\n                         the agency.\n\nInitial Progress Made to Establish IT Infrastructure\n\n                         TSA took major steps in a short time period to establish the infrastructure and\n                         security technology solutions needed to support its newly assigned mission\n                         operations. The TSA Operational Process and Technology (OPT) office is\n                         responsible for the majority of the agency\xe2\x80\x99s IT and security technology\n                         functions. Specifically, as shown in Figure 2, this office administers the\n                         TSA\xe2\x80\x99s IT infrastructure and security technology programs, as well as business\n                         management, risk management, and strategic innovation functions.\n\n                         The IT Division is responsible for managing the agency\xe2\x80\x99s IT infrastructure,\n                         including networks, desktops, standard applications, printers, cell phones, and\n                         peripheral hardware. To carry out these responsibilities, the IT Division\n                         oversees a range of sub-offices, including IT Security, IT Systems Innovation,\n                         IT Solutions Delivery, and the Business Management Office.\n\n                         The Office of Security Technology (OST) is responsible for the agency\xe2\x80\x99s\n                         programs for transportation screening equipment and explosive detection\n\n4\n DHS OIG, Transportation Security Administration\xe2\x80\x99s Information Technology Managed Services Contract, OIG-06-23,\nFebruary 2006.\n\n    Information Technology Management Needs to Be Strengthened at the Transportation Security Administration\n\n                                                    Page 4\n\x0c                         solutions. The primary functions of the OST are testing, deployment, and\n                         lifecycle maintenance of security technology solutions. Key sub-offices\n                         within the OST include Operations and Technical Planning, Technology\n                         Deployment and Optimization, Systems Analysis and Requirements\n                         Engineering, and Operational Integration.\n\n                                                     Operational Process\n                                                     & Technology (OPT)/\n                                                          CIO / CTO\n\n\n\n                            IT Division (ITD)                      Office of Security Technology\n                            \xe2\x80\xa2IT Security                           (OST)\n                            \xe2\x80\xa2IT Systems Innovation                 \xe2\x80\xa2Operations and Technical Planning\n                            \xe2\x80\xa2IT Solutions Delivery                 \xe2\x80\xa2Technology Deployment &\n                            \xe2\x80\xa2Business Management Office             Optimization\n                                                                   \xe2\x80\xa2Systems Analysis/Requirements Engineering\n                                                                   \xe2\x80\xa2Operational Integration\n\n                         Figure 2: Operational Process and Technology Responsibilities\n\n                         Beginning in 2001, the chief task of the IT Division was to establish a full-\n                         scale infrastructure within 12 months, including hardware, video, land mobile\n                         radios, phone communications, e-mail, and BlackBerry devices. By 2002,\n                         TSA had successfully implemented this IT infrastructure to support\n                         headquarters operations as well as the federal security directors and staff field\n                         locations. More recently, TSA completed a refresh of all desktops and laptops\n                         at headquarters, airports, and field offices, installing a uniform desktop image\n                         and standard lock-down policy across all sites.\n\n                         TSA also has made strides in replacing dial-up communications with much\n                         needed high-speed operational connectivity (Hi-SOC) to most airports\xe2\x80\x99\n                         passenger and baggage checkpoints, as well as to federal security directors\xe2\x80\x99\n                         offices.5 TSA established a plan to expand Hi-SOC to the largest airport\n                         checkpoints; as of May 2007, the agency was 70% complete in implementing\n                         this plan for passenger checkpoint areas and 57% complete for baggage\n                         screening areas. Once the high-speed connectivity is fully implemented, field\n                         locations will experience greater levels of productivity in performing daily\n                         online tasks, as well as in remotely transmitting data to TSA headquarters.\n\n                         Improving contract management to help support this infrastructure has been\n                         another area of emphasis. Specifically, TSA is converting to a DHS vehicle to\n                         obtain IT support services, in efforts to overcome historical challenges with its\n                         IT managed services contract with Unisys. Specifically, the DHS Enterprise\n\n5\n As of May 2007, TSA has established basic high-speed connectivity at 86% of the nation\xe2\x80\x99s category X and category 1\nairports, and 99% of the nation\xe2\x80\x99s category 2, 3, and 4 airports.\n\n    Information Technology Management Needs to Be Strengthened at the Transportation Security Administration\n\n                                                          Page 5\n\x0c                          Acquisition Gateway for Leading Edge Solutions contract is a standard,\n                          department-wide platform for acquiring IT services with improved cost\n                          efficiency and oversight. TSA will begin contracting actions in the first\n                          quarter of FY 2008 to transition to the new contract vehicle.\n\n                          Meeting the aggressive congressional deadlines for implementing screening\n                          solutions was no easy undertaking. The Aviation and Transportation Security\n                          Act held TSA responsible for screening all passengers within 1 year from the\n                          date of enactment of the legislation, November 19, 2002, and required\n                          explosive detection screening for all checked baggage by December 31,\n                          2002.6 The deadline for explosive detection screening was later extended by\n                          one year.7\n\n                          To meet this requirement, TSA\xe2\x80\x99s OST instituted its Passenger Screening\n                          Program and Electronic Baggage Screening Program to rapidly procure and\n                          deploy security equipment to approximately 450 airports nationwide. For\n                          electronic baggage screening, TSA\xe2\x80\x99s OST deployed two types of screening\n                          equipment: (1) explosive detection systems (EDS), which use X-rays to\n                          automatically recognize the characteristic signatures of threat explosives, and\n                          (2) explosives trace detection (ETD) equipment, which uses chemical analysis\n                          to detect traces of vapors and residue from explosive materials. By 2007,\n                          TSA\xe2\x80\x99s OST successfully deployed over 13,000 pieces of security equipment,\n                          including enhanced walk-through metal detectors, threat image X-rays,\n                          certified explosive detection systems, and explosive trace detectors.\n\n                          Since these initial deployments, the TSA OST has partnered with DHS\xe2\x80\x99\n                          Science and Technology Directorate for ongoing research and development to\n                          continually enhance its security technology solutions. The deployment of\n                          aviation security solutions accounts for the majority of spending within TSA\xe2\x80\x99s\n                          OPT office.8 TSA also conducts ongoing pilots as part of its process for\n                          testing new security equipment. For example, TSA pilots in 2007 involved\n                          new electronic baggage systems, passenger screening equipment, and airport\n                          access control systems.\n\n                          TSA has structured a Security Technology Integration Program within the\n                          OST to network its security equipment. The program will leverage Hi-SOC\n                          connectivity to establish a centralized enterprise data management system to\n                          facilitate the exchange of information between transportation security\n                          equipment located at the nation\xe2\x80\x99s airports and the people who use, procure,\n                          and service the equipment. The resulting unified network will support remote\n\n6\n  Aviation and Transportation Security Act, Public Law No. 107-71, Sec. 110, November 19, 2001.\n7\n  Homeland Security Act of 2002, Public Law No. 107-296, Sec. 425, November 25, 2002.\n8\n  OST spending represents $1.1 billion, of which $15.1M is categorized as IT for fiscal year 2007.\n\n    Information Technology Management Needs to Be Strengthened at the Transportation Security Administration\n\n                                                        Page 6\n\x0c                        access and monitoring, reduce operations and maintenance costs, and improve\n                        efficiency by facilitating system upgrades and patch management. The\n                        program will begin in 2008 and require up to four years to complete. Figure 3\n                        gives an example of EDS machines in a stand-alone configuration. After this\n                        program is complete, security equipment will be connected to a central\n                        network to automate data collection and provide remote monitoring\n                        capabilities.\n\n\n\n\n                        [Source: GAO-06-869]\n\n\n                        Figure 3: EDS Machines Used by TSA to Screen Checked Baggage\n\nStovepiped IT Environment Evolved\n\n                        Because of the fast-paced and ad hoc manner in which TSA was established,\n                        the supporting IT infrastructure evolved in a decentralized, inefficient manner.\n                        Specifically, the infrastructure is characterized by independent IT\n                        deployments, limited systems integration, inadequate IT solutions to meet user\n                        needs, and a range of locally developed applications to fill the gaps. These\n                        technical inefficiencies have resulted in a lack of information sharing across\n                        the agency\xe2\x80\x99s systems, further impeding effective data management practices\n                        and workflow. TSA does not employ effective systems development and\n                        lifecycle management practices throughout the agency. Such practices would\n                        ensure that future IT systems are instituted in a more integrated and\n                        disciplined manner to support cross-agency sharing.\n\n\n\n\n   Information Technology Management Needs to Be Strengthened at the Transportation Security Administration\n\n\n                                                    Page 7\n\n\x0c                     Independent and Non-Integrated Technology Deployments\n\n                     According to Office of Management and Budget Memorandum No. 4,\n                     Circular A-130, agencies must ensure that IT planning and development\n                     activities do not duplicate existing capabilities within their organizations.\n                     However, TSA business offices have undertaken independent, parallel IT\n                     initiatives, resulting in specialized technology platforms, networks, and\n                     systems and, generally, a stovepiped IT environment across the agency. The\n                     IT Division is responsible for the basic TSA infrastructure. However, due in\n                     part to the IT Division\xe2\x80\x99s limited staff and budget to service TSA-wide needs, a\n                     number of component offices also have established their own IT\n                     infrastructures and support operations, as illustrated below in Figure 4.\n\n                            Business\n                                                              Transportation\n                        Transform ation &                        Security                                     Chief Counsel\n                             Culture\n                                                              Administration\n\n                            Office of                                                                           Special\n                           Inspection                                                                          Counselor\n\n                                                                                     Strategic\n                                               Intelligence\n                                                                                 Communications\n                                                & Analysis\n                                                                                  & Public Affairs\n\n\n                                              Transportation\n                                                                                    Legislative\n                                            Threat Assessment\n                                                                                      Affairs\n                                              & Credentialing\n\n\n\n\n                                                Transportation                Law Enforcement                  Operational Process\n                    Security Operations        Sector Network                Federal Air Marshal               & Technology (OPT)\n                                              Management (TSNM)                Service (FAMS)                       (CIO / CTO)\n\n\n\n\n                                    Human Capital                 Finance &\n                                                                                                     Acquisition\n                                      (Training)                Administration\n\n\n\n                     Figure 4: TSA Offices with IT Activities\n\n                     For instance, the FAMS and the Office of Intelligence and Analysis are the\n                     foremost offices that have separate IT infrastructures, established in part due\n                     to their specialized mission operations and security requirements. First, the\n                     FAMS operates an independent network, and provides its own desktops,\n                     software licenses, applications, and IT support services. The FAMS began\n                     building this infrastructure after the terrorist attacks of September 11, 2001,\n                     highlighted the need for increased air transportation security. A state of the\n                     art IT infrastructure with sophisticated scheduling and communications\n                     capabilities was needed to accommodate the exponential growth in the\n                     number of FAMS agents and offices and their operations.\n\n\nInformation Technology Management Needs to Be Strengthened at the Transportation Security Administration\n\n                                                      Page 8\n\x0c                     Second, the Office of Intelligence and Analysis also manages a separate\n                     intelligence network and telephone system. Like the FAMS, this office\n                     conducts sensitive security operations, requiring specialized communications\n                     and IT systems.\n\n                     To a lesser extent, other TSA offices also have developed systems and\n                     implemented applications independently to support their specialized missions.\n                     For example, the Human Capital Office led an effort to upgrade its online\n                     training system in September 2006. Once deployed, this customized system\n                     slowed computer operations across multiple field locations and adversely\n                     affected network performance. According to IT personnel, this incident was\n                     due to inadequate system testing and configuration management. Further, IT\n                     Division management stated that ongoing problems with congestion in server\n                     and network operations are due in part to the non-integrated systems and a\n                     proliferation of spreadsheets and databases.\n\n                     As a result of such IT inefficiencies, TSA has incurred increasing operations\n                     and maintenance costs. For example, the IT Division\xe2\x80\x99s refresh of\n                     headquarters and field office computers in 2006 did not include the FAMS\n                     offices. Rather, the FAMS\xe2\x80\x99 own IT organization completed a separate IT\n                     infrastructure refresh program at the same time under an independent contract.\n                     Similar instances occur throughout TSA business offices as separate contracts\n                     are established to manage major IT development efforts.\n\n                     In the Transportation Threat Assessment and Credentialing (TTAC) office,\n                     where a number of contracts to develop vetting systems are managed, officials\n                     acknowledge that this approach is not cost-effective and that the systems\n                     should be supported through one consolidated contract for the organization.\n                     These parallel efforts result in an inefficient use of resources and limit the\n                     agency\xe2\x80\x99s opportunities to realize cost savings through enterprise-wide\n                     planning and consolidation.\n\n                     Given the independent and non-integrated manner in which technology has\n                     been deployed, there is a lack of standardization among the IT platforms,\n                     hardware, and software used throughout the agency. For example, a number\n                     of offices throughout the agency have acquired phone systems, mobile\n                     devices, and peripheral hardware from different vendors. Additionally,\n                     several offices maintain separate, multiple contracts with providers of\n                     software, hardware, and application development services, as well as general\n                     services such as wireless IT.\n\n                     In this fragmented technology environment, the agency has also faced\n                     challenges in obtaining enterprise-level software licenses. According to\n                     senior IT staff, if two offices require the same software or application licenses,\n\nInformation Technology Management Needs to Be Strengthened at the Transportation Security Administration\n\n                                                Page 9\n\x0c                     there is no way to bring these requirements together to serve the whole\n                     agency. Further, because most offices do not maintain a specific budget for\n                     licenses, there are project managers with $5 to $10 million projects who lack\n                     the necessary project management software. As a result, TSA remains unable\n                     to provide its staff with the necessary tools to complete their job efficiently, or\n                     realize economies of scale through consolidation of hardware or software.\n\n                     In this environment, the IT Division also is limited in its ability to manage\n                     effectively a complete inventory of all of the systems developed and deployed\n                     agency-wide. Multiple inventories are maintained, each with slight variations\n                     of system names that are based on different definitions of applications,\n                     systems, and projects. Further, TSA faces difficulties in establishing a true\n                     system of record for its field equipment due to multiple databases and locally\n                     managed spreadsheets. As a result, TSA is unable to capture or maintain\n                     accurate records in systems such as its security equipment inventories, which\n                     range from 15,000 to 17,000 pieces of equipment. Such wide variations lead\n                     to an inability to document and maintain a complete picture of the existing\n                     technical environment and supporting data.\n\n                     The IT Division hopes to minimize such redundant systems development\n                     activities through its new Systems Innovation Group, established to support\n                     central, CIO-led development of systems to meet common requirements\n                     across TSA. This effort supports the IT Division\xe2\x80\x99s goal of becoming a\n                     \xe2\x80\x9cpreferred provider of IT services and support.\xe2\x80\x9d However, the IT Division\xe2\x80\x99s\n                     efforts to rein in duplicative systems have not yet been fully extended to all\n                     TSA field locations. As of June 2007, the IT Division had deployed limited\n                     technology solutions to the field to support basic management and\n                     administrative functions.\n\n                     In the absence of central IT support, field locations typically have developed\n                     their own IT systems to meet day-to-day operational needs, such as recording\n                     time and attendance, tracking lost and found items, and maintaining\n                     inventories of uniforms and seized goods. However, to the extent that such\n                     systems are networked, they could potentially pose risks to infrastructure\n                     operations. They also are an ineffective use of resources. To address these\n                     issues, the IT Division has begun documenting business requirements of the\n                     federal security directors responsible for overseeing airport security\n                     operations. The IT Division also plans to develop an updated \xe2\x80\x9cFederal\n                     Security Directors\xe2\x80\x99 Toolkit\xe2\x80\x9d of business applications commonly used in the\n                     field.\n\n\n\n\nInformation Technology Management Needs to Be Strengthened at the Transportation Security Administration\n\n                                                Page 10\n\x0c                         Limited Information Sharing and Standards\n\n                         Because TSA systems often are not integrated, there is a corresponding lack\n                         of information sharing and standardization across the agency. A number of\n                         TSA applications contain duplicate information with varying degrees of\n                         completeness and accuracy. For example, although the agency\xe2\x80\x99s primary\n                         human resources management system contains basic employee data, the\n                         system is not interoperable with other personnel systems that need the same\n                         information. According to a senior IT official, there are more than a thousand\n                         databases at TSA, with no inventory of data across systems. Without a master\n                         record of available data, as well as standard data formats, TSA develops\n                         inconsistent information products and reports with duplicate and conflicting\n                         information. Ultimately, TSA is unable to look across all of its systems to\n                         \xe2\x80\x9cconnect the dots\xe2\x80\x9d and manage information in an integrated manner.\n\n                         The agency also maintains multiple data centers without a unified strategy,\n                         vision, or oversight. For example, TTAC runs two data centers at Annapolis\n                         Junction, Maryland, and Colorado Springs, Colorado, while the IT Division\n                         hosts its own data center in St. Louis, Missouri. Though TSA IT personnel\n                         stated the Colorado Springs Data Center serves specific operational and\n                         security needs, other TSA officials were not able to provide clear reasons for\n                         the various data centers. Although DHS is trying to consolidate its data\n                         centers department-wide, TSA has not issued guidance on merging data\n                         centers within the component agency.\n\n                         With limited enterprise-wide IT systems and information management\n                         practices, TSA lacks a rigorous and disciplined approach to program\n                         management. IT initiatives typically are managed independently without\n                         enforceable standards or guidance. Although the IT Division has created\n                         some tools and standards, such as a system development life cycle\n                         management methodology, these are only partially utilized across TSA\n                         offices. According to TSA officials, some project managers do not\n                         understand how to use the methodology; the guidance needs to be tailored or\n                         simplified to promote its use. As GAO reported in February 2006, TSA\xe2\x80\x99s\n                         failure to follow a disciplined life cycle management approach hindered\n                         success of the Secure Flight program.9\n\n                         The IT Division has placed priority on developing a TSA Information Sharing\n                         Environment to address these information management issues. This initiative\n                         is intended to increase data integration and standardization by moving to a\n\n9\n GAO Aviation Security: Significant Management Challenges May Adversely Affect Implementation of the\nTransportation Security Administration\xe2\x80\x99s Secure Flight Program, GAO-06-374T, February 2006.\n\n    Information Technology Management Needs to Be Strengthened at the Transportation Security Administration\n\n                                                    Page 11\n\x0c                        more flexible IT architecture. With this program, the IT Division plans to\n                        integrate independent databases so that information across systems can be\n                        accessed via a central location. Although a TSA Information Sharing\n                        Environment Roadmap was developed and funded in FY 2006, the allocation\n                        for this initiative has been reduced by over $16 million in the FY 2007 budget\n                        plan and next steps have been put on hold. Without leadership support for this\n                        effort, TSA remains challenged in following industry- and DHS-\n                        recommended practices for data sharing.\n\nInefficient Manual Processes Remain\n\n                        Federal guidelines require that agencies improve the effectiveness of their\n                        mission operations. However, the gaps in systems development and\n                        connectivity discussed above have led to a number of labor-intensive and\n                        inefficient processes. The agency spends a significant amount of time on\n                        manually collecting data to measure performance, manage security equipment\n                        configurations, and carry out administrative functions. Key processes such as\n                        TSA watch list implementation also are not well automated.\n\n                        Data Collection and Configuration Management for Security Equipment\n\n                        Because TSA screening equipment is not networked, daily processes to collect\n                        data on security operations create several challenges for TSA field personnel.\n                        Currently, airport staff must collect and compile performance management\n                        data from all transportation screening equipment and transfer it to the CTO\xe2\x80\x99s\n                        website in a manner that is often unstructured and manually intensive. Since\n                        each type of equipment has its own unique method for collecting, storing, and\n                        downloading data, the manual nature of this part of the process permits gaps\n                        and inaccuracy in the raw data. Field officials must visit each explosive\n                        screening device and walk-through metal detector every hour to take a reading\n                        and log the data. This information is rolled up into daily reports for each\n                        airport, then e-mailed or faxed to headquarters for input to the national\n                        performance management system.\n\n                        As a whole, this process for collecting data from the equipment is\n                        cumbersome, time consuming, and labor intensive. Officials at one field\n                        location estimated that it takes 10 minutes of every hour to gather the data\n                        from each walk-through metal detector. Officials at another airport estimated\n                        that their transportation security officers annually dedicate 2,920 staff hours to\n                        performance data gathering. Because the manual process is subject to errors,\n                        analysts spend approximately 2 hours each day reconciling the performance\n                        data before submitting it to headquarters.\n\n\n\n\n   Information Technology Management Needs to Be Strengthened at the Transportation Security Administration\n\n\n                                                   Page 12\n\n\x0c                     TSA\xe2\x80\x99s existing configuration management processes for transportation\n                     security equipment are completely manual. For example, when changes (such\n                     as user names) are required in equipment configuration, TSA staff must\n                     physically visit each security component to make the updates. A field official\n                     must open each machine one at a time and enter the user name via a small\n                     keyboard. Additionally, given airports\xe2\x80\x99 changing security needs, field staff\n                     often move the security equipment from checkpoint to checkpoint, especially\n                     when the units are highly portable. As such, TSA field personnel must\n                     maintain an accurate record of the location of each piece of equipment and its\n                     authorized users. Supervisory staff complete the required paperwork on the\n                     changes in equipment location and send it to the appropriate offices at TSA\n                     headquarters.\n\n                     TSA plans to address these inefficient processes and reduce the time and\n                     effort required to update security equipment. As previously discussed, the\n                     agency has begun deploying high-speed connectivity at all airports via its Hi-\n                     SOC program. TSA will build on this program by undertaking a Security\n                     Technology Integration Program to network the transportation security\n                     equipment, linking it to TSA headquarters. Once completed, this will enable\n                     TSA to streamline its performance measurement process by allowing the\n                     automatic collection of operational data from equipment. The programs will\n                     also support remote monitoring, diagnosis, and troubleshooting of checked\n                     baggage and passenger screening equipment. Overall, the OST believes that\n                     these programs will enhance security, improve resource management, and\n                     decrease operational costs.\n\n                     Administrative Functions Need Improvement\n\n                     As a result of deficiencies in TSA\xe2\x80\x99s current online training system, TSA field\n                     personnel use various methods, such as paper logs or spreadsheets, to track\n                     employee training hours. According to a number of personnel, the current\n                     online training system does not provide an accurate tool for tracking\n                     coursework and ensuring that employees complete the hours required for their\n                     training and development. As a result, TSA employees do not consistently\n                     receive full credit for hours taken and courses completed. To avoid such\n                     errors, training coordinators currently enter course hours manually, leading to\n                     potential mistakes and adverse effects on employees\xe2\x80\x99 performance ratings.\n\n                     Additionally, headquarters is unable to automatically update training software\n                     in the field due to the lack of network connectivity. As a result, the training\n                     coordinator must use compact disks to install software updates to each\n                     training computer, sometimes at multiple off-site locations each month.\n                     According to field personnel, it may take an hour and a half to update each\n\n\nInformation Technology Management Needs to Be Strengthened at the Transportation Security Administration\n\n                                                Page 13\n\x0c                     computer, creating a significant burden given that there may be as many as\n                     100 computers at a single location.\n\n                     TSA Watch List Manual Procedures Create Security Concerns\n\n                     Manual procedures for maintaining and disseminating the TSA watch list to\n                     stakeholders create security concerns and additional work for headquarters\n                     and field personnel. As shown in Figure 5, the TSA watch list process begins\n                     at the Terrorist Screening Center, which compiles information from across all\n                     federal stakeholder agencies and then provides a subset of this data to TSA.\n                     After receiving this information, TSA\xe2\x80\x99s Office of Intelligence and Analysis\n                     merges it with the agency\xe2\x80\x99s no-fly list. TSA standardizes the data, puts it in\n                     Microsoft Excel format, and then posts it to a TSA web board on a daily basis.\n                     Airlines have the option of using the spreadsheet manually or downloading it\n                     to their respective systems. While this process was intended to be a temporary\n                     solution, it has been in place since 2002 and its replacement remains\n                     uncertain. Proposed replacements (i.e., Secure Flight and its predecessor,\n                     CAPPS II) have experienced long delays due to program management\n                     challenges.\n\n                      Terrorist Screening Center     TSA Office of Intelligence & Analysis          External Stakeholders\n\n\n                          Compiles watch list                                                            Airlines apply\n                         from federal agencies                                     TSA posts\n                                                                                                          spreadsheet\n                                                    Merges limited watch list   MS Excel-format\n                                                                                    Excel-format\n                                                                                                          manually or\n                                                      with TSA No-fly\n                                                                No-fly list     watch list to TSA\n                                                                                                       download it to their\n                                                                                web board daily\n                                                                                                       respective systems\n\n                           Provides limited\n                          subset of watch list\n                             data to TSA                 Data in list is\n                                                         standardized\n                                                                                                       Watch list checked\n                                                                                                        against airline\n                                                                                                        passenger list\n\n                                                      List is converted into\n                                                           Excel format\n\n\n\n\n                     Figure 5: Process to Compile TSA Watch List\n\n\n                     Until the current watch list process is replaced, TSA and its stakeholders face\n                     additional work to disseminate the list, as well as control access and ensure\n                     security once it is distributed. Specifically, because the list is downloaded in\n                     the form of a spreadsheet, the watch list can easily be e-mailed or printed by\n                     unauthorized parties.\n\n                     Additional security concerns arise due to the fact that every airline\n                     implements the watch list differently; downloading the list is a manual process\n\n\nInformation Technology Management Needs to Be Strengthened at the Transportation Security Administration\n\n                                                   Page 14\n\x0c                          with no clear guidance on proper use. It also is unclear how stakeholders such\n                          as airlines should implement the list. For example, there are no standard\n                          procedures or guidelines for checking an individual\xe2\x80\x99s name against those on\n                          the list. One airline may check multiple spellings of a name, while another\n                          airline may simply check one spelling. Additionally, at smaller airlines,\n                          employees may manually check names against a spreadsheet, which can lead\n                          to human error.\n\nDecentralized Agency Structure Impedes Efficient IT Management\n                          TSA has yet to institute management controls effectively to ensure sufficient\n                          levels of IT oversight and guidance to its disparate offices. Although a\n                          cohesive agency-wide IT investment review process is in the early stages of\n                          development, TSA\xe2\x80\x99s IT budgeting and program management functions remain\n                          scattered across a number of offices without adequate CIO oversight.\n                          Likewise, IT strategic planning remains uncoordinated, resulting in inadequate\n                          alignment of the various agencies\xe2\x80\x99 technology plans with agency- and\n                          department-wide strategies. Further, a number of offices maintain their own\n                          IT staff because the IT Division has inadequate resources to support the users\n                          and technology requirements of TSA\xe2\x80\x99s specialized business operations.\n\nLimited Agency-Wide IT Oversight and Authority\n\n                          The Clinger-Cohen Act (Public Law 104-106, February 10, 1996) requires\n                          that federal CIOs ensure that IT is acquired and managed in accordance with\n                          agency missions and policies. However, there is a lack of agency-wide\n                          authority and control of IT resources within TSA. Although TSA has taken\n                          steps to strengthen its IT governance and acquisition processes, technology\n                          investments are managed in a decentralized fashion across the organization.\n\n                          Investment and Program Management Structure\n\n                          TSA has established an acquisition process and supporting governance\n                          structure, but has not yet instituted mechanisms for consistent oversight of\n                          agency-wide IT resources and initiatives. TSA\xe2\x80\x99s IT investment review\n                          process is defined by DHS guidance,10 the TSA acquisition program\n                          management process,11 and CIO IT review guidance.12 The agency\xe2\x80\x99s\n                          acquisition structure is comprised of various review boards that oversee and\n                          approve investments at key decision points throughout their lifecycles. One\n                          such board, the Business Management Council, is co-chaired by the TSA\n\n10\n   DHS Management Directive 1400, Investment Review Process, March 15, 2007.\n11\n   TSA Management Directive 300.8, Acquisition Program Planning, Review and Reporting.\n12\n   TSA CIO IT Acquisition Review Guidance V1.1, April 2007.\n\n     Information Technology Management Needs to Be Strengthened at the Transportation Security Administration\n\n                                                     Page 15\n\x0c                           Chief Procurement Officer and the TSA CIO. The Investment Review Board\n                           is chaired by the TSA Deputy Administrator and includes all TSA assistant\n                           administrators and other senior officials across the agency. These boards\n                           share responsibility for reviewing and approving all TSA acquisitions.\n\n                           TSA has a well-defined process for categorizing and reviewing investments.\n                           According to the TSA Acquisition Guide, investments are placed into one of\n                           four categories based on criteria such as cost, mission, risk, and resource\n                           allocations. Investments exceeding $50 million are categorized as level 1 and\n                           2 projects and require a greater level of documentation to prepare for multiple\n                           TSA- and DHS-level reviews. These investments are subject to review by the\n                           Business Management Council, the Investment Review Board, and several\n                           DHS governance boards, chaired at executive levels up to the Deputy\n                           Secretary. Lower-level projects (levels 3 and 4) estimated at less than $50\n                           million require only TSA Business Management Council review.\n\n                           Although TSA has begun documenting and communicating guidance on its\n                           investment review process, questions remain regarding the agency\xe2\x80\x99s ability to\n                           enforce the guidance consistently across TSA programs. According to a TSA\n                           official, program managers are not consistently aware of the existing review\n                           boards and have limited understanding of the decision making process.\n                           Further, Office of Acquisition personnel may not always be aware of all new\n                           programs and therefore cannot always guide them by providing information\n                           on the investment review process. Program managers\xe2\x80\x99 lack of knowledge\n                           about the governance structure and policies also may contribute to limited\n                           compliance with acquisition management procedures. For example, managers\n                           with programs under development or still in the conceptual stage do not\n                           always understand when and how to enter the formal review process.\n\n                           The TSA CIO recognizes the need to closely partner with the Office of\n                           Acquisition to ensure involvement in IT-related investment decisions.\n                           Accordingly, the IT Division began updating IT acquisition review guidance\n                           in April 2007, however these updates have not yet been implemented. The\n                           new guidance will better integrate IT review functions with the existing\n                           acquisitions process. The guidance also reflects key changes in response to\n                           DHS\xe2\x80\x99 directive on IT integration and management, issued in March 2007.13\n\n                           Additionally, the DHS directive elevates the TSA CIO\xe2\x80\x99s role to providing\n                           formal review and reporting on all TSA IT acquisitions over $2.5 million.\n                           Given this change, acquisitions above this threshold must first go through the\n                           TSA IT review process before going to the DHS CIO and DHS Enterprise\n                           Architecture Board for approval. The updated TSA CIO guidance pursuant to\n\n13\n     DHS Management Directive 0007.1, Information Technology Integration and Management, March 15, 2007.\n\n      Information Technology Management Needs to Be Strengthened at the Transportation Security Administration\n\n                                                      Page 16\n\x0c                          the March 2007 directive is intended to improve coordination among business\n                          functions and give the CIO more visibility and authority regarding IT\n                          acquisitions.\n\n                          Specifically, per the new guidance, the TSA CIO plans to provide a monthly\n                          report to the DHS CIO on any IT purchases under $2.5 million reviewed and\n                          approved. The IT Division\xe2\x80\x99s Business Management Office has worked to\n                          communicate the new guidance to the business units since its development in\n                          April 2007. Business Management Office officials have noted an increase in\n                          the number of IT acquisitions they review since this directive was\n                          implemented. By reviewing and approving each IT acquisition, the TSA CIO\n                          expects to improve IT alignment with the agency\xe2\x80\x99s mission and target\n                          architecture.\n\n                          Decentralized Budget Management\n\n                          Federal laws make an agency\xe2\x80\x99s CIO responsible for IT capital planning and\n                          investment management functions.14 However, TSA\xe2\x80\x99s decentralized IT\n                          budget hinders visibility of IT spending across the organization. As the\n                          agency evolved in a decentralized manner over the past five years, the CIO\n                          has had no official or substantive role in budgeting or planning for IT\n                          programs initiated in other offices apart from the IT Division. As a result, the\n                          CIO frequently is not consulted on significant technology decisions and\n                          investments.\n\n                          There are a number of offices TSA-wide that are comparable to the IT\n                          Division in terms of IT budget control and authority. For example, the FAMS\n                          office independently manages its IT budget, as well as its own network,\n                          projects, and infrastructure. Similarly, due to its unique mission, the TTAC\n                          office maintains its own IT budget and resources. Specifically, given the\n                          office\xe2\x80\x99s threat assessment and credentialing function, a number of high-profile\n                          programs, such as Secure Flight, receive direct funding through appropriations\n                          or user-generated fees. Because of its mandated funding, TTAC does not\n                          have to rely on external support from the IT Division to implement its\n                          programs. However, such mandated funding also hinders enterprise-wide,\n                          long-term IT planning, and reduces opportunities to integrate and leverage\n                          existing IT initiatives.\n\n                          According to DHS Management Directive 0007.1, starting in 2009, each DHS\n                          component CIO will be responsible for preparing an IT budget that includes\n                          all IT activities within the component organization. However, the IT Division\n\n14\n  Paperwork Reduction Act of 1995, Public Law 104-13, May 22, 1995, Sec. 3506(h); Clinger-Cohen Act of 1996,\nPublic Law 104-106, Feb 10, 1996, Sec. 5122-5123.\n\n     Information Technology Management Needs to Be Strengthened at the Transportation Security Administration\n\n                                                     Page 17\n\x0c                     accounts for only 26% of the total technology spending across the agency. As\n                     shown in Figure 6, TSA-wide spending in FY 07 for IT and security\n                     technology reached over $1.5 billion. While the TSA IT Division office is\n                     responsible for $408 million, the OST has purview over $1.1 billion,\n                     comprising the majority of the agency\xe2\x80\x99s IT-related spending. This $1.1 billion\n                     covers transportation security technology equipment, programs, operations,\n                     research and development. Of the $1.1 billion, $15.1 million is allocated\n                     specifically for IT through its Security Technology Integration Program.\n                     Additionally, in FY 07, the TTAC IT budget was $44.2 million, the FAMS IT\n                     budget was $22.4 million, and the Office of Intelligence and Analysis IT\n                     budget was $3.7 million\xe2\x80\x94all apart from IT Division authority and control.\n\n                                                  $1200\n                                                           $1,107,400,000*\n\n                                                  $1000\n\n\n                                                   $800\n                       Amount Spent in Millions\n\n\n\n\n                                                   $600\n\n                                                                      $408,000,000\n                                                   $400\n\n                                                   $200\n                                                                                    $44,159,270 $22,400,000\n                                                             $15,100,000                                    $7,100,000**\n                                                      $0\n                                                                OST          ITD        TTAC          FAMS                 OIA\n                     Source: TSA data collected April-May, 2007                              *$Total OST aviation security FY07 funds, of\n                     TSA offices represented in this chart was based on data received             which $15,100,000 is categorized as IT\n                                                                                                          ** Combined FY06 and FY07\n                     Figure 6: FY 07 IT and Security Technology Spending Across TSA Offices\n\n                     Since the agency\xe2\x80\x99s inception, TSA offices have struggled to reach consensus\n                     on a shared definition of IT to help in consistently classifying and tracking IT\n                     spending across TSA component offices. TSA historically has relied on a\n                     vague definition of IT, based on Office of Management and Budget Circular\n                     A-11 and the Clinger-Cohen Act. Currently, airport security technology\n                     equipment, such as EDS and ETD machines, is not considered IT. In this\n                     structure, the OST manages security technology equipment and programs\n                     separate from the IT Division\xe2\x80\x99s traditional IT infrastructure systems.\n                     However, a number of TSA officials expressed confusion and offered\n                     conflicting opinions on what constitutes IT in the absence of clear TSA\n                     definitions and guidance. In March 2007, however, DHS provided an updated\n\nInformation Technology Management Needs to Be Strengthened at the Transportation Security Administration\n\n                                                                    Page 18\n\x0c                        definition of IT in its DHS Management Directive 0007.1. According to TSA\n                        officials, this directive may help to address the previous ambiguity, but its\n                        impact remains to be seen.\n\n                        Delineation of what constitutes IT also is a major issue as it relates to the\n                        acquisition process. With the IT Division\'s help, the Office of Acquisition\n                        screens new programs to determine whether they are IT initiatives.\n                        Investments deemed \xe2\x80\x9cnon-IT\xe2\x80\x9d are not subject to the same level of\n                        documentation or technical reviews as IT programs. Further, the CIO has\n                        limited involvement in \xe2\x80\x9cnon-IT\xe2\x80\x9d programs, which hinders the possibility of\n                        leveraging or integrating existing solutions.\n\n                        Coordination with Business Offices Is Limited\n\n                        Several TSA officials said that there is a general need for more effective\n                        coordination between the IT Division and business offices. Because many\n                        TSA IT programs are not managed or funded within the CIO\xe2\x80\x99s purview, the\n                        CIO\xe2\x80\x99s ability to monitor program progress or coordinate with business units is\n                        sporadic and often \xe2\x80\x9ctoo little, too late.\xe2\x80\x9d According to several IT officials,\n                        when business units develop systems independently of the IT Division, this\n                        presents challenges for the CIO. Deploying new systems on the network\n                        without prior coordination creates anxiety as to whether the systems will\n                        operate in the existing environment, meet security standards, or incur\n                        additional cost to incorporate redundant IT elements.\n\n                        According to multiple TSA senior executives, there is no official, including\n                        the CIO, with a central purview over all IT across the agency. Rather,\n                        coordination between the IT Division and business managers often is done on\n                        an ad hoc basis or through established working relationships. Some IT\n                        Division staff said that their awareness of major IT projects often is derived\n                        from the IT security process with projects only becoming visible as they\n                        undergo certification and accreditation. One IT staff member said that the IT\n                        Division gets more information on TSA\xe2\x80\x99s major IT projects, such as Secure\n                        Flight, from the news media than from within the agency. In fact, IT\n                        management recently designated a contractor to monitor the internet to\n                        maintain awareness of new IT initiatives across TSA.\n\nImmature IT Strategies, Policies, and Guidance\n\n                        As with investment management, TSA has not instituted a focused approach\n                        to formulating overarching IT strategic goals, policies, or guidance to achieve\n                        mission outcomes. IT strategic planning is conducted in a decentralized\n                        manner across the organization without cohesive direction or supporting\n                        policies to ensure alignment. Although the agency has recently begun\n\n   Information Technology Management Needs to Be Strengthened at the Transportation Security Administration\n\n                                                   Page 19\n\x0c                            instituting IT management tools such as an enterprise architecture to increase\n                            integration and standards for the IT environment, the tools are not yet fully\n                            developed or implemented. Further, IT support services are decentralized\n                            across a number of different offices, because the IT Division\xe2\x80\x99s limited\n                            resources have prevented it from serving as a central source of IT support.\n\n                            TSA Needs Effective IT Planning and Management\n\n                            The Government Performance and Results Act of 1993 (Public Law 103-62,\n                            August 3, 1993) holds federal agencies responsible for strategic planning to\n                            ensure efficient and effective operations and use of resources to achieve\n                            mission results. Further, the Clinger-Cohen Act requires agencies to develop\n                            and maintain an integrated, enterprise-wide architecture for the agency.\n                            Developing this enterprise architecture would define and set the standards for\n                            executing the agency strategy and implementing the systems and technologies\n                            in an integrated manner to accomplish mission goals.\n\n                            However, TSA has not institutionalized an effective IT strategic planning\n                            process to support an agency-wide vision or agency-wide goals and\n                            objectives. Rather, competing plans have been developed in different parts of\n                            the organization. Specifically, both the IT Division and the OST, its\n                            counterpart, have developed strategic plans. Both plans have been\n                            implemented and are in use to guide IT within the respective offices.\n                            However, there is no clear correlation between the two plans. For example,\n                            the FY 2005 to 2006 CTO strategic plan is focused on achieving TSA\xe2\x80\x99s\n                            mission by providing security technology solutions.15 In contrast, the IT\n                            Division\xe2\x80\x99s FY 2006 to 2008 strategic plan outlines an internally focused\n                            vision that includes collaboration among TSA\xe2\x80\x99s business units and the IT\n                            Division becoming TSA\xe2\x80\x99s preferred IT services provider.16\n\n                            Within the overarching OPT office that brings the IT Division and CTO\n                            operations together, planning officials hope to update and develop a single\n                            strategic plan for all TSA offices that strengthens IT alignment with the\n                            agency-wide strategy. However, this OPT planning effort is ongoing, with a\n                            target completion date of December 2007.\n\n                            Similarly, business planning also is performed at the office level across the\n                            agency. These plans are at various stages of completion or execution. For\n                            example, the FAMS and Transportation Sector Network Management\n                            (TSNM) develop and maintain their own strategic plans due to the size and\n\n\n15\n     TSA Chief Technology Officer Strategic Plan, FY 2005\xe2\x80\x932006.\n16\n     TSA Information Technology Division Strategy, FY 2006\xe2\x80\x932008.\n\n       Information Technology Management Needs to Be Strengthened at the Transportation Security Administration\n\n                                                       Page 20\n\x0c                     organizational structure of these offices. Specifically, TSNM has 10\n                     transportation modes within the office that must consolidate planning efforts.\n\n                     Because of the decentralized IT planning, there is no long-term, unified vision\n                     for aligning IT investments and programs within the agency. According to\n                     one official, the agency has only a near-term, tactical view by which to\n                     operate. For instance, although TSA has begun planning the \xe2\x80\x9ccheckpoint of\n                     the future,\xe2\x80\x9d which is a set of long-term goals for security checkpoints, TSA\n                     has not refined this vision to outline how security screening operations will be\n                     supported by technology. There has been much speculation among field\n                     directors regarding whether this vision will involve cutting edge technologies\n                     or redesigned processes and operations. Without a clear vision, it will be\n                     difficult to get participation and buy-in from across the agency for an\n                     enhanced security screening approach.\n\n                     Lacking a unified IT strategy, there also is no way to align TSA\xe2\x80\x99s disparate IT\n                     initiatives and resources with the strategies of the overarching department and\n                     agency. IT alignment is important to better enable each TSA office and\n                     business unit to carry out its role in support of DHS\xe2\x80\x99 homeland security\n                     mission. Further, IT alignment with the TSA vision will help ensure that each\n                     office and business unit is progressing toward accomplishing the agency\xe2\x80\x99s\n                     goals and objectives. However, senior IT officials stated that the methods for\n                     achieving such strategic alignment are limited while the organization is still\n                     evolving. In the past year, TSA has established a Strategic Planning Office\n                     within the Finance and Administration office, which is taking a \xe2\x80\x9cgrassroots\xe2\x80\x9d\n                     approach to leveraging the lower-level office and business unit plans to build\n                     one high-level strategic plan.\n\n                     Additionally, TSA has not yet instituted an enterprise architecture as a\n                     framework for transitioning from its stovepiped and redundant systems to an\n                     integrated IT environment. Since FY 2005, TSA has made strides in\n                     developing its enterprise architecture to help analyze business and IT needs;\n                     however, the framework has not yet been fully developed or employed.\n\n                     The IT Division\xe2\x80\x99s Business Management Office, responsible for the enterprise\n                     architecture effort, is in the initial stages of defining the existing \xe2\x80\x9cas-is\xe2\x80\x9d\n                     environment. As part of this effort, senior TSA officials are focused on\n                     mapping the business processes of federal security directors in the field and\n                     outlining credentialing operations within TTAC. Subsequently, the agency\n                     will define the future \xe2\x80\x9cto-be\xe2\x80\x9d state and develop a transition plan. TSA\xe2\x80\x99s\n                     recent award of a new contract for enterprise architecture support and\n                     development has demonstrated increased focus on this effort. Once it is\n                     completed, the IT Division plans to use the architecture within the IT review\n\n\nInformation Technology Management Needs to Be Strengthened at the Transportation Security Administration\n\n                                                Page 21\n\x0c                     process as a tool for aligning services to needs and identifying technical risks.\n\n                     IT Support Services Are Decentralized\n\n                     Although the IT Division\xe2\x80\x99s vision is to be TSA\xe2\x80\x99s \xe2\x80\x9cpreferred IT provider,\xe2\x80\x9d\n                     business offices throughout TSA currently provide their own IT support in a\n                     variety of ways. These independent support services have evolved in part\n                     because the IT Division has not had the staff or issued the guidance needed to\n                     support TSA-wide IT operations effectively.\n\n                     Since its inception, the IT Division has faced the daunting challenge of\n                     delivering IT support despite a chronic lack of staff. In general, staffing\n                     trends in the IT Division have remained level over the years. Specifically, the\n                     IT Division has about 132 full-time government staff managing IT for\n                     approximately 50,000 total TSA employees. However, these staffing levels\n                     have not been adequate for the IT Division to meet the mission and\n                     administrative needs of other TSA offices, such as IT procurement guidance,\n                     tailored technology solutions, and dedicated technical staff support. For\n                     example, TSA\xe2\x80\x99s Office of Redress approached the IT Division for help in\n                     developing a system that would allow airline passengers to submit online\n                     requests for their names to be cleared from TSA\xe2\x80\x99s No Fly List, but the IT\n                     Division could not provide timely assistance due to its resource limitations.\n                     As a result, the Office of Redress hired its own contractor, who built a system\n                     that contained significant security flaws when launched.\n\n                     Additionally, because basic infrastructure support has been the IT Division\xe2\x80\x99s\n                     priority to date, the IT Division has not been able to focus on developing and\n                     supporting customized applications to benefit specialized business needs. For\n                     example, soon after TSA began operations, the Human Capital Office wanted\n                     to acquire a system to track human resources data. Because the IT Division\n                     was not able to divert staff to support this project, Human Capital procured its\n                     own system and hired its own technical support personnel to manage it.\n\n                     To complicate matters, despite the staffing shortfalls, IT Division workloads\n                     have increased over time commensurate with agency growth. The IT Division\n                     has relied on contractor support and managed services to provide the level of\n                     IT service and support necessary for an agency of TSA\xe2\x80\x99s size and scope. At\n                     the same time, the number of full-time government employees in the IT\n                     Division has been slipping over time due to attrition. Program officials said\n                     that staffing levels really should be increasing to meet the increased\n                     workloads and targeted service goals and to allow adequate oversight of\n                     contractors. In the opinion of senior IT management, the number of\n                     employees needed to accomplish IT Division responsibilities is 250 to 300\xe2\x80\x94\n                     nearly double the current government workforce. As illustrated at Figure 7,\n\nInformation Technology Management Needs to Be Strengthened at the Transportation Security Administration\n\n                                                Page 22\n\x0c                     the IT Division\xe2\x80\x99s budget has steadily increased, which could accommodate an\n                     increase in IT support staff and services.\n\n                                                          Funding (in Millions)\n                      $500\n                      $500\n\n                                                                                         $434.0\n                      $400\n                      $400\n                                                                                                       $403.0\n\n\n                      $300\n                      $300                                                   $312.0\n                                               $269.5        $262.7\n                      $200\n                      $200\n\n                                     $108.2\n                      $100\n                      $100\n                              F Y02\n                              FY02            FY03           FY04           FY05       FY06            FY07\n\n                                                                      Funding\n\n\n\n                                                             FTE History\n                      175\n\n                                              146\n                      150                                     141               142\n                                                                                                         138\n                                                              139\n                                                                                        119\n                      125\n                                                                                126\n                                                                                        118\n                                                                                                         111\n                      100\n                                    90\n                               91              94\n\n                       75\n                             FY02             FY03          FY04            FY05       FY06            FY07\n\n                                         FTE Authorized                               FTE On-Board\n\n\n                                                                                      Provided by TSA March 28, 2007\n\n\n                     Figure 7: IT Division Funding to FTE History\n\n\n                     However, the IT Division has not received the FTE authorizations needed,\n                     commensurate with the budget increases. According to senior technology\n                     officials, TSA leadership must first give permission for program dollars to be\n                     used for hiring full-time employees. However, there is a lack of confidence\n                     within the agency that the IT Division is capable of going beyond its historical\n                     role of basic infrastructure support to deliver a fuller range of services.\n                     Officials attributed this lack of confidence, in part, to the poor performance of\n                     the IT managed services contract.\n\n                     Lacking adequate support from the IT Division, a number of TSA offices\n                     employ their own specialized IT support units. These offices justify the need\n                     for their own support services by citing factors such as unique mission or\n                     business operations or IT Division limitations. For example, the FAMS office\n                     has established an IT staff of 13 to manage its infrastructure and network and\n                     oversee contractors. Similarly, the TTAC office has an IT staff of 10 to\n                     provide technical expertise for contract oversight and support the office\xe2\x80\x99s\n                     operations. In addition, the TSNM office has its own staff of IT specialists\n\nInformation Technology Management Needs to Be Strengthened at the Transportation Security Administration\n\n                                                          Page 23\n\x0c                       who provide support for the 10 different modes of transportation under\n                       TSNM, as well as priority support services for executive management.\n                       Although these separate IT support staffs are considered necessary to support\n                       the agency\xe2\x80\x99s mission, they also lead to duplicative efforts and expenses,\n                       inefficiencies, and a lack of standard processes and practices.\n\n                       IT Division management hopes to rein in these disparate IT support resources\n                       by widening the range of services that they offer and increasing the reliance of\n                       the business units on the IT Division over the coming year. For example, the\n                       IT Division plans to expand its services to include more development and\n                       customization of applications to meet business unit needs. As part of this\n                       effort, the IT Division also will leverage the newly increased network\n                       connectivity to improve the effectiveness of new and continuing IT initiatives.\n\n                       To further its relationships with the business units, the IT Division has\n                       assigned an account manager to work with each TSA business office and\n                       serve as a liaison for meeting IT needs. IT Division management anticipates\n                       that the benefits of this arrangement will include increased awareness of the\n                       customer\xe2\x80\x99s business and technical needs, particularly in terms of developing\n                       and gathering requirements. Additionally, this approach is intended to build\n                       the reputation of the IT Division, and to increase its visibility throughout the\n                       organization.\n\n                       As of October 2006, the IT Division had begun implementing plans and\n                       applied $3 million in FY 2007 funds to support the account manager\n                       approach. Initial reception of this approach has been positive, and business\n                       units are communicating through the account managers to bring more issues\n                       to light. The IT Division continues to define the account manager\xe2\x80\x99s role to\n                       further enhance inter-office working relationships and ensure effective IT\n                       service delivery.\n\nNumerous Challenges Exist in External Stakeholder Coordination\n                       Coordinating with transportation systems stakeholders is a major challenge for\n                       TSA. A number of federal laws, including the Homeland Security Act of 2002\n                       (Public Law 107-296, Nov. 25, 2002) and the Aviation and Transportation\n                       Security Act, govern how the agency must partner with stakeholders to carry\n                       out its transportation security operations. Taken together, these laws require\n                       that the agency carefully mete out its limited financial and administrative\n                       resources to address the needs of each stakeholder on an individual basis.\n                       TSA\xe2\x80\x99s challenges in meeting these responsibilities, as illustrated in Figure 8,\n                       include:\n\n\n\n  Information Technology Management Needs to Be Strengthened at the Transportation Security Administration\n\n\n                                                  Page 24\n\n\x0c                        \xe2\x80\xa2\t   Balancing the competing interests of numerous external organizations\n                             whose missions and operations are inherently different from one another\n                             strains TSA resources and budgets.\n                        \xe2\x80\xa2\t   Applying customized solutions to accommodate varying requirements due\n                             to differences in stakeholder facilities, capabilities, and technology.\n                        \xe2\x80\xa2\t   Communicating with stakeholders effectively on the guidelines for\n                             obtaining funding and meeting transportation security technology\n                             standards.\n                        \xe2\x80\xa2\t   Meeting federal requirements and public concerns about data privacy and\n                             security to satisfy stakeholder needs.\n\n\n\n                                            Airlines\n                                            Airport         TSA\n                                                             TSA \n\n                                            Owners       Guidelin es\n                                                          Guidelines\n\n                                                          Guidelines\n                                                                   Funding\n                                                                     Funding\n                                    Airports\n                                    Airports\t\n                                     Airlines\t\n                                     Airlines                     Decisions\n\n                                               TSA\n                                               TSA\n\n                                                TSA\n                                             Challenges\n                                             Challenges\n\n                                             Challenges\n                                   Technical\n                                   Technology\n                                                                  Civil\n                                          Financial            Libert\n                                                               Liber  ties\n                                                                       ies\n                                                                liberties\n                                             Financial\n\n\n\n\n                        Figure 8: TSA\xe2\x80\x99s Challenges in Stakeholder Coordination\n\n                        Addressing these challenges may improve TSA\xe2\x80\x99s ability to move from a\n                        reactive to a proactive approach in applying resources to meet priority\n                        requirements. Although a number of the challenges may be beyond TSA\xe2\x80\x99s\n                        control in some respects, the agency nonetheless can increase its ability to\n                        respond to unique stakeholder requirements by ensuring that clear\n                        transportation security technology guidelines and funding criteria are\n                        communicated and consistently applied. Additionally, identifying and\n                        devising strategies in advance to mitigate the risks of compromise or\n                        unauthorized disclosure of personally identifiable information can also\n                        alleviate concerns about the privacy and security of TSA data.\n\nMeeting Stakeholders\xe2\x80\x99 Diverging Interests\n\n                        Collaborating and interacting with multiple stakeholders to design and deploy\n                        screening technologies to over 450 airport facilities is no easy task for TSA.\n                        The challenge arises from the fact that the stakeholders, including airport\n\n   Information Technology Management Needs to Be Strengthened at the Transportation Security Administration \n\n                                                     \n\n                                                 Page 25 \n\n\x0c                     owners and operators as well as commercial airlines and their customers, have\n                     differing interests, responsibilities, and priorities.\n\n                     For example, TSA must consider a number of factors in designing and\n                     implementing screening solutions to meet airports\xe2\x80\x99 interests and operational\n                     needs. Most airports are owned by state or local governments and operated by\n                     government-funded airport authorities and must focus on meeting community\n                     and taxpayer needs. As such, they are concerned with controlling costs,\n                     managing revenue flows, and serving the traveling customer. At the same\n                     time, however, airports must place a premium on ensuring safety and\n                     preventing transportation security incidents.\n\n                     TSA often is caught in a dilemma in working to ensure aviation security\n                     concurrent with meeting the airports\xe2\x80\x99 divergent operational and customer\n                     service needs. For example, the complex screening equipment that TSA\n                     deploys to help ensure aviation security often is extremely heavy and bulky,\n                     and consumes a considerable amount of space. Airports with space or\n                     building engineering constraints sometimes must place the equipment in lobby\n                     areas, increasing congestion and passenger processing times. This incursion\n                     also poses public safety issues, since crowded spaces are difficult to monitor\n                     and patrol.\n\n                     In addition, airports may lose income when security checkpoint or baggage\n                     screening equipment takes up valuable retail space that could be used for more\n                     profitable operations, such as food courts or parking lots. Further, one TSA\n                     official said that while deploying backup screening equipment on site meets\n                     the airports\xe2\x80\x99 concern about guarding against service disruptions, TSA finds it\n                     difficult to justify the redundant expense for the equipment because it is rarely\n                     used.\n\n                     Conversely, TSA is challenged in its efforts to balance aviation security with\n                     the profit motive of commercial airlines. While airlines, too, are concerned\n                     with security, as private companies they are primarily focused on business and\n                     performance goals, reputation, and customer service, which affect revenue.\n                     For example, one airline representative said that frequent TSA baggage\n                     screening equipment failures during morning rush hour peak times result in\n                     flight delays and tens of thousands of dollars in additional operating costs. An\n                     airline official told us about another instance where TSA equipment\n                     breakdowns led to about 50 bags not making it onto a flight, inconveniencing\n                     passengers and causing increased operating expenses for the airline to track\n                     and ship the delayed luggage.\n\n                     In addition, several airlines provide TSA with booking information in advance\n                     to assist in scheduling the appropriate number of screening personnel for duty\n\nInformation Technology Management Needs to Be Strengthened at the Transportation Security Administration\n\n                                                Page 26\n\x0c                        and help alleviate long passenger screening lines. However, TSA staff\n                        shortages and inability to readily adjust the shifts of federal screeners to meet\n                        workload demands may result in backed up lines at peak periods or substantial\n                        overtime costs. Such inconveniences result in customer complaints and\n                        negative perceptions of both the airlines and TSA.\n\nAccommodating Varying Stakeholder Capabilities\n\n                        Another challenge that TSA faces is designing security solutions and systems\n                        to accommodate disparities in stakeholder capabilities. Factors such as\n                        facility size, capacity, budget, current technology, and staffing affect TSA\xe2\x80\x99s\n                        ability to execute security operations effectively. For example, some airports\n                        have the capacity to integrate sophisticated \xe2\x80\x9cin-line\xe2\x80\x9d EDS systems with\n                        luggage conveyance systems to automate baggage screening; others are\n                        constrained by building engineering, geographic location, or airport\n                        construction or modernization plans that limit the type and amount of\n                        equipment that they can deploy. Such constraints may lead to temporary\n                        solutions or sub-optimal baggage screening arrangements where machines are\n                        placed in lobbies, temporary structures, or other less convenient areas.\n                        Further, financial resource limitations also may affect screening system\n                        designs. For example, while some airports can afford state-of-the-art\n                        screening systems, others struggle to meet minimum standards and maintain\n                        outdated equipment.\n\n                        Variations in airlines\xe2\x80\x99 technical capabilities also hinder TSA mission\n                        execution. Technology used in critical initiatives, such as the No Fly List,\n                        which aids airlines in prescreening passengers for potential security risks,\n                        must accommodate the airlines\xe2\x80\x99 technical limitations. Specifically, since there\n                        is no common system across the airlines for downloading and using No Fly\n                        List data, TSA must use \xe2\x80\x9clowest common denominator\xe2\x80\x9d technology to\n                        distribute the information. To accommodate small airlines that must view the\n                        data manually, TSA uses the simplest formats, i.e. Microsoft Excel, to\n                        disseminate the lists, although other airlines would prefer more sophisticated\n                        formats. The lack of consistent systems across airlines also means that small\n                        adjustments in data presentation, such as changes in spreadsheet column\n                        widths or capitalization of letters, can cause system crashes and considerable\n                        additional expense.\n\nCommunicating Security Regulations and Guidelines\n\n                        TSA faces challenges in clearly and effectively communicating to\n                        stakeholders regarding guidelines for implementing security technology and\n                        obtaining funding. TSA is responsible for providing aviation security\n\n\n   Information Technology Management Needs to Be Strengthened at the Transportation Security Administration\n\n\n                                                   Page 27\n\n\x0c                     guidance, such as the requirement to screen all passengers and checked\n                     baggage for air travel. Typically, TSA\xe2\x80\x99s approach has been to coordinate with\n                     each airport on a case-by-case basis to work through complex cost-sharing\n                     models and project scopes. TSA employs various tools such as prioritized site\n                     lists, letters of intent, and letters of prejudice, which preserve eligibility for\n                     self-funding airports to receive federal reimbursements in the future, to\n                     manage the airports\xe2\x80\x99 competing needs for funding and resources. However,\n                     addressing the complexities and varying conditions at the individual airports\n                     takes time and fosters reactive and uneven response to airport needs. As such,\n                     airport and airline officials have complained about a lack of clarity and\n                     consistency in policy documentation and execution.\n\n                     Airports are particularly concerned about a lack of clear guidance from TSA\n                     about the implementation of in-line baggage screening systems. The airports\n                     and TSA have met previous deadlines for 100% passenger and baggage\n                     screening in accordance with the Aviation and Transportation Security Act.\n\n                     While the 100% requirement is clear and remains in effect, the added\n                     requirement to increase automation and efficiency by replacing ETD devices\n                     and stand-alone EDS machines with in-line systems where possible is less\n                     clear. Such systems are costly, yet airport officials have said they see a lack\n                     of TSA policies on funding or implementation of these in-line baggage\n                     screening systems at airports. A TSA official confirmed that TSA has not\n                     issued such policies, but the agency has developed a framework for different\n                     levels of automation, as well as suggested solutions for 250 airports, based on\n                     their size and other characteristics. The framework also presents a prioritized\n                     list of the top 25 airports for which TSA funding assistance is planned, based\n                     on a quantitative analysis using weighted criteria.\n\n                     However, a number of airport officials and TSA field personnel do not have\n                     sufficient awareness or understanding of these and other equipment and\n                     funding guidelines to make the guidelines useful. With regard to\n                     implementing and deploying security technology, airport officials said that\n                     there do not appear to be definitive or consistent processes coming from\n                     headquarters. These officials also said that the funding process is \xe2\x80\x9copaque,\xe2\x80\x9d\n                     characterized by a lack of criteria and uniform procedures for securing TSA\n                     financial assistance. Officials and TSA field personnel also were unaware of\n                     their airport\xe2\x80\x99s funding prioritization status. Even at airports that had received\n                     or expected to receive funding, there were ongoing negotiations and\n                     disagreements regarding what TSA would or would not fund.\n\n                     Without systematic and objective guidance and procedures, airport officials\n                     often must engage in time-consuming negotiations with TSA headquarters\n\n\nInformation Technology Management Needs to Be Strengthened at the Transportation Security Administration\n\n                                                Page 28\n\x0c                        regarding funding and technology standards, not knowing whether their\n                        concerns will be equitably addressed. Airports encounter difficulties in long-\n                        term planning and financing of security technology improvements because\n                        officials do not know whether or how much TSA may eventually contribute to\n                        assist their efforts. Further, security technology improvements that airports\n                        undertake must be scaled back in some cases due to these financing\n                        uncertainties and airports\xe2\x80\x99 limited budgets. As a result, new screening\n                        systems and other security equipment that may be in place for years fall short\n                        of meeting TSA\xe2\x80\x99s performance and efficiency expectations. Since less\n                        efficient equipment requires more people to support operations, the\n                        installation of less efficient long-term systems also results in continued high\n                        staffing needs and expenses for TSA.\n\nAddressing Data Privacy Concerns\n\n                        Establishing the appropriate balance between executing mission\n                        responsibilities and respecting the privacy and legal rights of the public is a\n                        challenge for TSA as it develops new security systems and implements pilot\n                        programs. For example, in 2002, TSA identified a new screening technology\n                        called \xe2\x80\x9cbackscatter\xe2\x80\x9d as a solution to improve detection of concealed threat\n                        items such as liquids and plastics. However, the system\xe2\x80\x99s X-ray capability has\n                        raised privacy concerns regarding protection of the images generated by the\n                        equipment. As a result, the agency delayed the launch of a pilot program and\n                        eventually applied privacy filters to reduce body image output.\n\n                        The Secure Flight program also has faced numerous challenges in responding\n                        to concerns about its ability to safeguard personally identifiable information.\n                        The program is intended to replace the No Fly List by creating a consistent\n                        platform for consolidating watch list data and prescreening passengers.\n                        However, concerns have been raised regarding the ability of U.S. passengers\n                        to seek redress from TSA if they are selected for additional screening or\n                        denied boarding privileges due to incorrect name matches identified by Secure\n                        Flight or the interim No Fly List procedures. These concerns were heightened\n                        in February 2007 when TSA launched a website through which passengers\n                        could submit online redress requests. The initial website lacked proper\n                        encryption for data submitted, as well as other information assurance features,\n                        raising questions regarding the security and validity of the site.\n\n                        A recent loss of TSA computer equipment has led to further public scrutiny of\n                        the agency\xe2\x80\x99s ability to appropriately safeguard data that includes personal\n                        information. Specifically, on May 4, 2007, a TSA hard drive was discovered\n                        missing. The hard drive contained personal, payroll, and financial\n                        information on an estimated 100,000 current and former TSA employees.\n\n   Information Technology Management Needs to Be Strengthened at the Transportation Security Administration\n\n                                                   Page 29\n\x0c                     Subsequently, some of the affected employees filed a lawsuit against the\n                     agency, charging negligence on TSA\xe2\x80\x99s part. Although TSA has no evidence\n                     thus far that the data has been misused, the agency determined that all affected\n                     employees would be provided with free credit monitoring for up to one year in\n                     order to prevent fraud and identity theft.\n\n\n\n\nInformation Technology Management Needs to Be Strengthened at the Transportation Security Administration\n\n                                                Page 30\n\x0cRecommendations\n                       We recommend that the Assistant Administrator for TSA strengthen agency\n                       IT management by:\n\n                       1. \t Empowering the CIO with agency-wide IT budget and investment review\n                            authority to ensure that IT initiatives and decisions support\n                            accomplishment of TSA mission objectives.\n\n                       2. \t Developing a consolidated strategic planning approach to ensure that IT\n                            plans across the agency are well-aligned and linked to the DHS strategic\n                            plan, providing a clear vision of how information and technology will be\n                            managed to support TSA and DHS mission objectives.\n\n                       3. \t Completing and implementing an enterprise architecture to establish\n                            technical standards and guidelines for systems acquisitions and investment\n                            decisions.\n\n                       4. \t Establishing and communicating guidelines and procedures for acquiring,\n                            developing, and managing IT solutions in a consistent, integrated, and\n                            efficient manner.\n\n                       5. \t Applying adequate staff resources to strengthen the IT Division in\n                            addressing IT needs and providing support to TSA operations agency-\n                            wide.\n\n\n\n\n  Information Technology Management Needs to Be Strengthened at the Transportation Security Administration\n\n\n                                                  Page 31\n\n\x0cManagement Comments and OIG Evaluation\n\n                       We obtained written comments on a draft of this report from the Assistant\n                       Secretary, Transportation Security Administration. We have included a copy\n                       of the comments in their entirety at Appendix B.\n\n                       The Assistant Secretary concurred with our recommendations and provided\n                       comments on specific areas within the report. In these comments, the\n                       Assistant Secretary explained the agency\'s position on whether security\n                       technology should be considered as an IT asset. Additionally, the Assistant\n                       Secretary gave examples of recent efforts to ensure coordination with\n                       stakeholders and clarified its data privacy challenges.\n\n                       We have reviewed the Assistant Secretary\xe2\x80\x99s comments and made changes to\n                       the report as appropriate. The following is an evaluation of the issues raised,\n                       as outlined in the comments discussion provided by TSA.\n\n                       TSA IT Assets\n\n                       In the comments, the TSA Assistant Secretary stated concern over the\n                       inclusion of security technology equipment as part of this review of TSA\xe2\x80\x99s IT\n                       infrastructure. TSA stated that per the DHS Management Directive 0007.1\n                       definition of IT, security technology equipment should not be included as IT.\n                       We are aware of this definition of IT, which was released subsequent to our\n                       initial fieldwork, and we acknowledge that the principal function of security\n                       technology equipment is for the purpose of screening persons or items. We\n                       have modified our report to ensure that security technology equipment is not\n                       specifically referred to as IT.\n\n                       In reviewing TSA\xe2\x80\x99s IT management capabilities, we examined TSA\xe2\x80\x99s broad\n                       IT infrastructure, including security technology equipment, which plays a\n                       critical role in executing TSA\xe2\x80\x99s mission operations. We determined that as\n                       screening processes become more automated, it will be difficult for TSA to\n                       separate its security technology equipment from the agency\xe2\x80\x99s IT assets. For\n                       example, to better automate threat detection and handling functions, an\n                       increasing number of TSA\xe2\x80\x99s security-screening operations are enabled by\n                       computers using IT features such as the following:\n                       \xe2\x80\xa2 graphical interfaces,\n                       \xe2\x80\xa2 sophisticated algorithms,\n                       \xe2\x80\xa2 networking capabilities,\n                       \xe2\x80\xa2 complex software, and\n                       \xe2\x80\xa2 multi-dimensional image displays.\n\n\n\n  Information Technology Management Needs to Be Strengthened at the Transportation Security Administration\n\n                                                  Page 32\n\x0c                     As IT and screening technologies converge, TSA will need to address, and\n                     plan for the possible impact that screening systems have on its IT\n                     infrastructure.\n\n                     Additionally, regarding the budget allocation references for TSA\xe2\x80\x99s IT assets,\n                     TSA stated that the inclusion of the OST Passenger Screening Program and\n                     Electronic Baggage Screening Program funding activity as IT spending was\n                     misleading. TSA also said they have captured IT elements of both the\n                     Passenger Screening Program and the Electronic Baggage Screening Program\n                     into the Security Technology Integration Program budget, which is\n                     significantly less compared to the total budgets for these two screening\n                     programs. Further, TSA stated that the Office of Management and Budget has\n                     concurred with this designation of IT for the Security Technology Integration\n                     Program as recently as March 2007. We recognize that TSA has captured the\n                     IT elements of each screening program and are managing these IT functions\n                     through the Security Technology Integration Program budget. Accordingly,\n                     we have modified the report section on budget management and the related IT\n                     spending chart to reflect the IT portion of the OST total FY 07 budget.\n\n                     Stakeholder Challenges\n\n                     In response to stakeholder challenges pertaining to collaboration and\n                     guidance, the TSA Assistant Secretary stated that stakeholders are actively\n                     engaged on matters of airport checked baggage screening systems.\n                     Specifically, TSA stated that it has worked with industry stakeholders to\n                     develop in draft Planning Guidelines and Design Standards for Checked\n                     Baggage Inspection Systems that will be released at the end of calendar year\n                     2007. Additionally, in June 2007, TSA issued a guide to airports applying for\n                     FY 2009 EDS system funding. We recognize recent TSA efforts to work with\n                     stakeholders to carry out its transportation security operations. However, TSA\n                     must continue to develop and communicate clear guidelines to ensure\n                     consistent level of awareness among stakeholders.\n\n                     Additionally, TSA indicated that safety and privacy data protections of the\n                     new imaging technology did not lead to a delay in the field operational test\n                     and evaluation. TSA said that the delays were due to concerns with the\n                     reaction of the public regarding privacy not the actual data protection or data\n                     privacy. We modified the report to clarify the privacy concerns with the\n                     "backscatter" technology. However, data privacy remains a challenge that\n                     TSA will continue to face as they increase security operations.\n\n\n\n\nInformation Technology Management Needs to Be Strengthened at the Transportation Security Administration\n\n                                                Page 33\n\x0c                     Report Recommendations\n\n                     The Assistant Secretary concurred with our recommendations in their entirety\n                     and stated that the recommendations will help TSA improve and implement\n                     more effective oversight of IT investments. TSA outlined a number of steps\n                     already taken to address several of the report recommendations. We believe\n                     that such efforts demonstrate progress toward addressing the various issues we\n                     raised in our report. We look forward to learning more about continued\n                     progress and improvements in the future.\n\n                     In response to recommendation 1, the Assistant Secretary acknowledged the\n                     need for CIO investment review authority over TSA\'s IT initiatives. The\n                     Assistant Secretary stated that TSA is ensuring compliance with DHS\n                     Management Directive 0007.1 for CIO accountability of the performance,\n                     budgeting, expenditure, and staffing of the agency\'s IT resources.\n                     Specifically, TSA has focused on ensuring IT resources and purchasing\n                     services are included in TSA\'s IT portfolio and support the agency\'s strategic\n                     plan, business requirements, and risk management process.\n\n                     Responding to recommendation 2, the Assistant Secretary said that TSA is\n                     currently updating the TSA IT Strategic Plan and it is scheduled for\n                     completion by October 2007. The new TSA IT Strategic Plan will be\n                     compliant with the TSA Strategic Plan and outline TSA\'s IT vision, mission,\n                     strategy, and goals through 2010.\n\n                     To address recommendation 3, the Assistant Secretary stated that TSA\n                     recently awarded a contract to provide support for assessing and improving\n                     enterprise architecture management. TSA will map processes, data,\n                     applications, and infrastructure to the Federal Enterprise Architecture and\n                     TSA Strategic Goals. Eventually, this effort will consolidate common\n                     practices and data, enable consistent use of technology, reduce stovepipe\n                     solutions and redundancies, and help TSA plan for future needs.\n\n                     In response to recommendation 4, the Assistant Secretary said that the TSA\n                     OCIO is transforming its business processes in accordance with DHS\n                     Management Directive 0007.1 to ensure effective management and\n                     administration of all agency IT resources and assets. Specifically, the TSA\n                     investment review process will assess all programs in terms of program\n                     alignment, enterprise architecture, IT security, and infrastructure and\n                     applications optimization.\n\n                     Finally, to address recommendation 5, the Assistant Secretary stated that the\n                     TSA Office of Human Capital completed a position management review of\n                     the IT Division in August 2006 to determine appropriate staffing levels. This\n\nInformation Technology Management Needs to Be Strengthened at the Transportation Security Administration\n\n                                                Page 34\n\x0c                     review determined that the TSA IT Division required 164 full-time\n                     employees, over 30 more employees than the current staff level.\n\n\n\n\nInformation Technology Management Needs to Be Strengthened at the Transportation Security Administration\n\n                                                Page 35\n\x0cAppendix A\nScope and Methodology\n\n\n                        As background for this audit, we researched and reviewed federal guidance\n                        and laws related to TSA\xe2\x80\x99s responsibility to design, deploy, and maintain\n                        technologies to protect the nation\xe2\x80\x99s transportation systems. We reviewed\n                        recent GAO and OIG reports related to TSA IT systems, contracts, security,\n                        and program management. We searched the internet to obtain testimony,\n                        published reports, documents, and news articles regarding TSA operations.\n                        Using this information, we designed a data collection approach that consisted\n                        of focused interviews and documentation analysis to accomplish our audit\n                        objectives. We then developed a series of questions and discussion topics to\n                        facilitate our interviews.\n\n                        Collectively, we interviewed over 90 TSA HQ and field management officials\n                        and staff to understand TSA\xe2\x80\x99s strategy and processes for managing IT.\n                        Officials within the IT Division told us about the current IT management\n                        environment and how it is evolving. We interviewed TSA leadership to\n                        understand the division of roles and responsibilities related to developing and\n                        implementing TSA systems. In particular, we met with OST officials to\n                        discuss the development and deployment process for aviation security\n                        technology. Additionally, we met with senior TSA officials to discuss how IT\n                        investments are budgeted and monitored across the organization. Finally, we\n                        met with program managers within several TSA offices to learn about\n                        coordination, project management, and standards in implementing major\n                        programs and IT systems.\n\n                        Further, we visited five airports where we toured facilities and interviewed\n                        TSA employees such as Federal Security Directors, Training Coordinators,\n                        Security Managers, and IT Specialists to learn about their functions and\n                        operations. We discussed the current IT infrastructure, local IT development\n                        practices, and user involvement and communication with headquarters. We\n                        gathered input on the system lifecycle development and deployments, as well\n                        as performance metrics and maintenance activities.\n\n                        Additionally, we met with TSA stakeholders, including airport owners and\n                        airline operators. We discussed their coordination with TSA and the extent to\n                        which they are affected by TSA decisions such as project funding, system\n                        implementations, and watch list monitoring. Finally, we met with the\n                        Transportation Security Lab in Atlantic City, New Jersey, where we discussed\n                        the ongoing development and testing of new security technologies before they\n                        are transferred for use at TSA field locations. We gathered and analyzed\n                        numerous documents that the range of TSA officials provided on IT\n                        management topics, such as systems and tools, processes and procedures,\n                        investment planning, governance oversight, infrastructure management,\n                        program planning, and budget execution.\n\n\n   Information Technology Management Needs to Be Strengthened at the Transportation Security Administration\n\n                                                   Page 36\n\x0cAppendix A\nScope and Methodology\n\n\n                        We conducted our review from February 2007 to May 2007 at TSA\n                        headquarters in Washington, DC, and at TSA field locations in New York\n                        City (NY), Atlantic City (NJ), San Jose (CA), San Francisco (CA), and\n                        Phoenix (AZ). We performed our work according to generally accepted\n                        government auditing standards.\n\n                        The principal OIG points of contact for this audit are Frank Deffer, Assistant\n                        Inspector General for Information Technology Audits, and Richard Harsche,\n                        Director of Information Management. Major OIG contributors to the audit are\n                        identified in Appendix C.\n\n\n\n\n   Information Technology Management Needs to Be Strengthened at the Transportation Security Administration\n\n                                                   Page 37\n\x0cAppendix B\nManagement Comments to the Draft Report\n\n\n\n\n    Information Technology Management Needs to Be Strengthened at the Transportation Security Administration\n\n\n                                                    Page 38\n\n\x0cAppendix B\nManagement Comments to the Draft Report\n\n\n\n\n    Information Technology Management Needs to Be Strengthened at the Transportation Security Administration\n\n\n                                                    Page 39\n\n\x0cAppendix B\nManagement Comments to the Draft Report\n\n\n\n\n    Information Technology Management Needs to Be Strengthened at the Transportation Security Administration\n\n\n                                                    Page 40\n\n\x0cAppendix B\nManagement Comments to the Draft Report\n\n\n\n\n    Information Technology Management Needs to Be Strengthened at the Transportation Security Administration\n\n\n                                                    Page 41\n\n\x0cAppendix C\nMajor Contributors to This Report\n\n\n\n\n                 Information Management Division\n                 Sondra McCauley, Director\n                 Kristen Evans, Audit Manager\n                 Steve Ressler, Auditor\n                 Therese Doucet, Auditor\n                 Elizabeth Bakanic, Intern\n                 Beverly Dale, Referencer\n\n\n\n\n    Information Technology Management Needs to Be Strengthened at the Transportation Security Administration\n\n                                                    Page 42\n\x0cAppendix D\nReport Distribution\n\n\n\n                         Department of Homeland Security\n                         Secretary\n                         Deputy Secretary\n                         Chief of Staff\n                         Deputy Chief of Staff\n                         General Counsel\n                         Executive Secretary\n                         Director, GAO/OIG Liaison Office\n                         DHS Assistant Secretary for Policy\n                         DHS Assistant Secretary for Public Affairs\n                         DHS Assistant Secretary for Legislative and Intergovernmental Affairs\n                         DHS Chief Information Officer\n                         DHS Deputy Chief Information Officer\n                         Transportation Security Administration Audit Liaison\n                         Assistant Secretary, Transportation Security Administration\n                         Transportation Security Administration, Assistant Administrator, Operational\n                         Process and Technology\n                         Transportation Security Administration Deputy Chief Information Officer\n\n                         Office of Management and Budget\n                         Chief, Homeland Security Branch\n                         DHS OIG Budget Examiner\n\n                         Congress\n                         Congressional Oversight and Appropriations Committees, as appropriate\n\n\n\n\n    Information Technology Management Needs to Be Strengthened at the Transportation Security Administration\n\n                                                    Page 43\n\x0cAdditional Information and Copies\n\nTo obtain additional copies of this report, call the Office of Inspector General (OIG)\nat (202) 254-4199, fax your request to (202) 254-4305, or visit the OIG web site at\nwww.dhs.gov/oig.\n\n\nOIG Hotline\n\nTo report alleged fraud, waste, abuse or mismanagement, or any other kind of\ncriminal or noncriminal misconduct relative to department programs or operations:\n\n    \xe2\x80\xa2    Call our Hotline at 1-800-323-8603;\n    \xe2\x80\xa2    Fax the complaint directly to us at (202) 254-4292;\n    \xe2\x80\xa2    E-mail us at DHSOIGHOTLINE@dhs.gov; or\n    \xe2\x80\xa2\t   Write to us at:\n           DHS Office of Inspector General/MAIL STOP 2600, Attention:\n           Office of Investigations - Hotline, 245 Murray Drive, SW, Building 410,\n           Washington, DC 20528,\n\nThe OIG seeks to protect the identity of each writer and caller.\n\x0c'